Monday 22 September 2008

SBS 2008 - Password policy setting out of the box...

As we are going through the SBS 2008 RTM setup we now have with a fine toothed comb, this one came up as a bit of a surprise:

SBS 2008 Password Expiration Policy: 180 Days!

Break out the handy dandy Windows Calculator and we come up with: 6 Months!

From a Microsoft article: Strong passwords: How to create and use them.

Change your passwords regularly. This can help keep criminals and other malicious users unaware. The strength of your password will help keep it good for a longer time. A password that is shorter than 8 characters should be considered only good for a week or so [highlight ours], while a password that is 14 characters or longer (and follows the other rules outlined above) can be good for several years.

Given that the article states an 8 character password is good for about a week, and our Group Policy setting out of the box is set to 8 characters, there was something missed somewhere in the SBS development cycle in our opinion.

A number of years back when we were preparing for SBS 2003 and Remote Web Workplace access, we spent a number of months training our client's users to use passphrases and have them rotate on a fairly frequent basis.

What was that sound that we heard as we spoke about passwords turning into passphrases and requiring them to be changed? Was it something like nails down a chalk board? Or perhaps that high pitched background whiny sound that can drive people absolutely crazy?

The schedule we aimed for was a 45 day rotation and in most client cases we were able to hit in and around the 50-60 day frequency. One or two clients absolutely dug in and we ended up with a 75 day rotation in their case.

At the same time, we were talking about the minimum number of characters in the password, and for the most part we were able to implement 10 characters with complexity. A few were really not happy about that, but after a number of months they were able to accept the changes.

One of the benefits of having the password rotate on a fairly frequent basis is the reduced number of support calls from clients with no on-site "technical" person who could reset their password for them.

We also make a point of training users to change their password early in the week when they start seeing the password change reminder. There is nothing worse than having the dear in the headlights look on a Monday morning when the wrong password error comes up ... been there once.

So, what happens if we change that setting? This:

Note: If you change the password policy requirements at any time to enforce a more secure password policy, then all passwords are reset, and the users have to re-enter a new password whenever they log on to the network.

The note is taken directly from the SBS 2008 Help on the subject. The online TechNet documentation does not have it from any searches done on the site.

So, for any new SBS 2008 build, changing these settings to be more in line with the client's environment is mandatory before adding the users.

If the policy is going to be changed on an existing SBS 2008 network, then the users need to be notified that their passwords will need to be changed as soon as the policy is implemented ... and it should be done on a Monday or Tuesday.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.


Anonymous said...

How do I get to that change password policies screen?

Anonymous said...

Microsoft TechNet Article

Change Password Policies